java.lang.ClassValue (from OpenJDK >= 7) is missing [196063118]

Fixed

Bug

[AOSP] assigned

Status Update

No update yet.

Description

sm...@gmail.com

created issue #1

Aug 11, 2021 08:56AM

java.lang.ClassValue has been present in OpenJDK since Java 7 but is not available on Android.

This is needed for some Java libraries (https://issues.apache.org/jira/browse/LUCENE-8274) but it is also needed to run any Scala code at all since Scala 2.12 because it is used as part of the Scala standard library (see https://users.scala-lang.org/t/scala-2-13-on-android/7235).

Comments

vi...@google.com <vi...@google.com> #2Aug 12, 2021 07:23AM

Assigned to vi...@google.com.

We have shared this with our product and engineering team and will update this issue with more information as it becomes available.

sm...@gmail.com <sm...@gmail.com> #3Aug 23, 2021 01:40PM

Thanks again for the feedback! Our product and engineering teams have evaluated the request and responded:

Hello,

An MTE-specific strlen (and all string.h family of functions) is necessary and desirable to detect buffer-overflow bugs.

The example you mention, vector.push_back(toCppString(**).c_str()), is a great example of the type of footgun that exists in C++. Our other tools even specifically mention this as an example of a use-after-free bug that we want to catch.

Some of those specific examples of use-after-free bugs are begnign, however they're still undefined behaviour. MTE catching them is the desired functionality.

ot...@google.com <ot...@google.com> #4Sep 27, 2021 11:02AM

Thanks for your reply. I can understand that and I found a new case that the __memchr_aarch64_mte called by strstr could give a MTE error if the input pointer has not been aligned by 16 bytes. I think it is a bug,right? test case:

    char *data = (char*)calloc(128,1);
    memset(data, 'A', 128);
    char *str2 = "BBbbbaa";
    char *res = strstr(data+2, str2);

sm...@gmail.com <sm...@gmail.com> #5Sep 27, 2021 11:22AM

The backtrace for the test case:

signal 11 (SIGSEGV), code 9 (SEGV_MTESERR), fault addr 0x0200007b9b4e67e0
Cause: [MTE]: Buffer Overflow, 0 bytes right of a 128-byte allocation at 0x7b9b4e6760
***
backtrace:
     #00 pc 0000000000092fe0  /apex/com.android.runtime/lib64/bionic/libc.so (__strchr_aarch64_mte+96) (BuildId: cfc293be733954571ce0dc79a9917039)
     #01 pc 00000000000e8f88  /apex/com.android.runtime/lib64/bionic/libc.so (strstr+24) (BuildId: cfc293be733954571ce0dc79a9917039)
     #02 pc 00000000000017d8  /data/local/tmp/a.out (main+116)

Oh,sorry that the case I give above is for the __strchr_aarch64_mte, and the case for __memchr_aarch64_mte is below.

   char *data = (char*)calloc(128,1);
    memset(data, 'A', 128);
    char *str2 = "ABbbbAa";
    char *res = strstr(data+2, str2);

and the backtrace of the __memchr_aarch64_mte case:

signal 11 (SIGSEGV), code 9 (SEGV_MTESERR), fault addr 0x0f000074794803b0
Cause: [MTE]: Buffer Overflow, 0 bytes right of a 128-byte allocation at 0x7479480330
***
backtrace:
      #00 pc 000000000009268c  /apex/com.android.runtime/lib64/bionic/libc.so (__memchr_aarch64_mte+12) (BuildId: cfc293be733954571ce0dc79a9917039)
      #01 pc 00000000000e92c0  /apex/com.android.runtime/lib64/bionic/libc.so (twoway_strstr+464) (BuildId: cfc293be733954571ce0dc79a9917039)

I think the __strchr_aarch64_mte and __memchr_aarch64_mte has the same problem that they preread 16 bytes and if there are two MTE tag in a single bytes chunk, a MTE exception would raise. And that is caused without any wrong operations by developer.

mi...@google.com <mi...@google.com> #6May 24, 2022 10:22AM

Marked as fixed.

Sorry and I give another issue for that. 317403451

Issue 196063118